What is DMARC?

Domain-based Message Authentication Reporting & Conformance (DMARC) is an email security protocol. DMARC verifies email senders by building on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols. 

The DMARC standard was created to block the threat of domain spoofing, which involves attackers using an organization’s domain to impersonate its employees. It also supplements Simple Mail Transfer Protocol (SMTP), which is the basic protocol used to send email messages, but does not include mechanisms for defining or implementing email authentication.

DMARC requires DKIM or SPF to be in place on an email domain and a DMARC record to be published in the DNS. The DMARC policy process, also known as DMARC alignment and identifier alignment, enables the email domain’s policy to be shared and authenticated after the DKIM and SPF status has been checked.

An SPF DKIM DMARC record requests email servers to send Extensible Markup Language (XML) reports to the email address associated with the record. A DMARC checker report provides information about how email moves through a system and enables users to identify all traffic that uses their email domain.

A DMARC record enables domain owners to protect their domains from unauthorized access and usage. This is crucial as email is increasingly vulnerable to cyberattacks, such as phishing, spoofing, whaling, chief executive officer (CEO) fraud, and business email compromise (BEC).

Furthermore, email-based attacks have resulted in people losing trust in email despite it continuing to be one of the most-used communication forms. DKIM and SPF have been used to identify and validate senders for years but did not allow flexibility over what happened if the sender was invalid. This prevented domain owners from taking complete control of their brand, hence the need for DMARC email security.

A DMARC record is included within an organization or domain owner’s DNS database and is a specific version of DNS text records (TXT records). The full DMARC record looks similar to this: “v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.com\; ruf=mailto:dmarc-afrf@mydomain.com\; pct=100”. These various sections within the DMARC record signify:

1. v=DMARC1: The DMARC version specified.
2. p=none: The domain owner’s DMARC policy or preferred treatment of any email messages.
3. rua=mailto:dmarc-aggregate@mydomain.com: The email address to which aggregate reports need to be sent. 
4. ruf=mailto:dmarc-afrf@mydomain.com: The email address to which forensic reports need to be sent.
5. pct=100: The percentage of email that needs to be subjected to a DMARC policy’s specifications. In this case, 100% of email messages that fail a DMARC test will be rejected by the server.

Domain alignment is a DMARC concept that matches the domain of an email against SPF and DKIM. A DMARC record can have varied strictness of DKIM alignment, which affects whether messages will be allowed to pass through the DKIM process. The alignment can either be relaxed, which matches base domains but allows different subdomains, or strict, which precisely matches the whole domain

The policy a domain owner uses in their DMARC record tells the receiving email server what it should do with email that fails DKIM and SPF checks but claims to be from a domain. There are three policies, which are signified by ‘p= policies,’ available:

Signified by ‘p=none,’ this advises the receiving server to perform no action when receiving an unqualified email. However, the server will send email reports to the email address in the DMARC record.

Signified by ‘p=quarantine,’ this advises the receiving server to quarantine any unqualified email. As a result, emails will typically reach recipients’ spam folders.

Signified by 'p=reject,' this advises the receiver to deny unqualified email messages. It ensures only email messages that are 100% verified as being from a domain will reach inboxes. Any email that fails checks will be denied. 

DMARC is a valuable tool for protecting the outbound email channel. But there are a few misconceptions about DMARC that need to be cleared up.

For example, DMARC does not protect your inbound email data stream—at least not when it comes to emails getting sent from outside your organization. Rather, it protects emails being sent from your organization's domain.

Also, it is possible to be too stringent with your DMARC policy, particularly when it comes to how you decide which emails to reject. If you set up a policy that automatically rejects too many emails, you may end up missing legitimate communications.  

What does DMARC stand for? DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Keeping this DMARC definition in mind, especially the “reporting” and “conformance” elements, here are some best practices and tools to keep in mind:

1. Use DMARC parsing tools to better understand the information in the reports you get.
2. Use professional services consultants with solid DMARC experience to implement your system. In this way, you can leverage their knowledge and experience.
3. As you make use of DMARC, take the time to identify all legitimate email senders, including third-party email providers. This sets the baseline for when you need to further tweak your implementation.

DMARC, DKIM, and SPF are all standards relating to different areas of email authentication. SPF enables senders to define the Internet Protocol (IP) addresses that are allowed to send email from their domain. DKIM verifies email messages using a digital signature and an encryption key, ensuring email messages cannot be altered or faked. 

DMARC unifies these two standards into a common framework. It enables domain owners to advise how they want email from their domain to be handled if it fails authorization.

Fortinet protects email domain owners and users with FortiMail, a comprehensive secure email gateway solution. FortiMail is designed to detect and prevent inbound and outbound threats and works seamlessly with popular email services, such as Exchange, Microsoft 365, and Google Workspace. The solution can detect malware, such as ransomware and viruses, and includes techniques that prevent targeted attacks and stop users from downloading risky files.

The FortiMail solution is supported by FortiGuard Labs, which has visibility into more than 100 million unique emails and offers intelligence into real-time threats. This protects organizations from the latest spam, malware, and virus outbreaks as quickly as possible. 

Discover how to enable Fortinet DMARC, DKIM, and SPF in FortiMail.